{ "id": "ff8206c4-84d3-4f92-a69b-7cf6b70e582c", "created_at": "2026-04-06T00:10:10.295766Z", "updated_at": "2026-04-10T03:34:00.499596Z", "deleted_at": null, "sha1_hash": "3657cc5c6580eefcecd4fe627e07309295e7ebba", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 88981, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 21:06:28 UTC\r\n APT group: APT 42\r\nNames\r\nAPT 42 (Mandiant)\r\nGreenBravo (Recorded Future)\r\nCountry Iran\r\nSponsor\r\nState-sponsored, Islamic Revolutionary Guard Corps (IRGC)’s Intelligence\r\nOrganization (IRGC-IO)\r\nMotivation Information theft and espionage\r\nFirst seen 2015\r\nDescription (Mandiant) Mandiant assesses with high confidence that APT42 is an Iranian state-sponsored cyber espionage group tasked with conducting information collection and\r\nsurveillance operations against individuals and organizations of strategic interest to\r\nthe Iranian government. We further estimate with moderate confidence that APT42\r\noperates on behalf of the Islamic Revolutionary Guard Corps (IRGC) Intelligence\r\nOrganization (IRGC-IO) based on targeting patterns that align with the\r\norganization's operational mandates and priorities.\r\nActive since at least 2015, APT42 is characterized by highly targeted spear phishing\r\nand surveillance operations against individuals and organizations of strategic interest\r\nto Iran. The group’s operations, which are designed to build trust and rapport with\r\ntheir victims, have included accessing the personal and corporate email accounts of\r\ngovernment officials, former Iranian policymakers or political figures, members of\r\nthe Iranian diaspora and opposition groups, journalists, and academics who are\r\ninvolved in research on Iran. After gaining access, the group has deployed mobile\r\nmalware capable of tracking victim locations, recording phone conversations,\r\naccessing videos and images, and extracting entire SMS inboxes.\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=fa55484b-2760-4ac1-9105-96199054d1df\r\nPage 1 of 2\n\nAPT42 has a demonstrated ability to alter its operational focus as Iran’s priorities\nevolve over time. We anticipate APT42 will continue to conduct cyber espionage\noperations in support of Iran’s strategic priorities in the long term based on their\nextensive operational history and imperviousness to public reporting and\ninfrastructure takedowns.\nThe full published report covers APT42’s recent and historical activity dating back\nto at least 2015, the group’s tactics, techniques, and procedures, targeting patterns,\nand elucidates historical connections to Magic Hound, APT 35, Cobalt Illusion,\nCharming Kitten. APT42 partially coincides with public reporting on ITG18.\nObserved\nSectors: Education, Government, Healthcare, Manufacturing, Media, Non-profit\norganizations, Pharmaceutical and Legal and professional services.\nCountries: Australia, Bulgaria, Iran, Italy, Malaysia, Norway, UAE, UK, Ukraine,\nUSA.\nTools used\nBROKEYOLK, CHAIRSMACK, DOSTEALER, Ghambar, GORBLE,\nMAGICDROP, PINEFLOWER, POWERPOST, SILENTUPLOADER,\nTABBYCAT, TAMECAT, VBREVSHELL, VINETHORN.\nOperations performed\nSep 2022\nIran: State-Backed Hacking of Activists, Journalists, Politicians\nFeb 2024\nIranian backed group steps up phishing campaigns against Israel,\nU.S.\nInformation\nLast change to this card: 23 October 2024\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=fa55484b-2760-4ac1-9105-96199054d1df\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=fa55484b-2760-4ac1-9105-96199054d1df\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=fa55484b-2760-4ac1-9105-96199054d1df" ], "report_names": [ "showcard.cgi?u=fa55484b-2760-4ac1-9105-96199054d1df" ], "threat_actors": [ { "id": "82b92285-4588-48c9-8578-bb39f903cf62", "created_at": "2022-10-25T15:50:23.850506Z", "updated_at": "2026-04-10T02:00:05.418577Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "Charming Kitten" ], "source_name": "MITRE:Charming Kitten", "tools": [ "DownPaper" ], "source_id": "MITRE", "reports": null }, { "id": "d8af157e-741b-4933-bb4a-b78490951d97", "created_at": "2023-01-06T13:46:38.748929Z", "updated_at": "2026-04-10T02:00:03.087356Z", "deleted_at": null, "main_name": "APT35", "aliases": [ "COBALT MIRAGE", "Agent Serpens", "Newscaster Team", "Magic Hound", "G0059", "Phosphorus", "Mint Sandstorm", "TunnelVision" ], "source_name": "MISPGALAXY:APT35", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "82f54603-89e0-4f5a-8df9-eae0c3a90d70", "created_at": "2022-10-25T16:07:23.745406Z", "updated_at": "2026-04-10T02:00:04.734764Z", "deleted_at": null, "main_name": "ITG18", "aliases": [], "source_name": "ETDA:ITG18", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "9f778366-a4a7-42f1-ab1e-362aa065ee4f", "created_at": "2022-10-25T16:07:23.362157Z", "updated_at": "2026-04-10T02:00:04.562925Z", "deleted_at": null, "main_name": "APT 42", "aliases": [ "GreenBravo" ], "source_name": "ETDA:APT 42", "tools": [ "BROKEYOLK", "CHAIRSMACK", "CORRUPT KITTEN", "DOSTEALER", "GORBLE", "Ghambar", "MAGICDROP", "PINEFLOWER", "POWERPOST", "SILENTUPLOADER", "TABBYCAT", "TAMECAT", "VBREVSHELL", "VINETHORN" ], "source_id": "ETDA", "reports": null }, { "id": "d0e8337e-16a7-48f2-90cf-8fd09a7198d1", "created_at": "2023-03-04T02:01:54.091301Z", "updated_at": "2026-04-10T02:00:03.356317Z", "deleted_at": null, "main_name": "APT42", "aliases": [ "UNC788", "CALANQUE" ], "source_name": "MISPGALAXY:APT42", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "029625d2-9734-44f9-9e10-b894b4f57f08", "created_at": "2023-01-06T13:46:38.364105Z", "updated_at": "2026-04-10T02:00:02.944092Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "iKittens", "Group 83", "NewsBeef", "G0058", "CharmingCypress", "Mint Sandstorm", "Parastoo" ], "source_name": "MISPGALAXY:Charming Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "0b212c43-009a-4205-a1f7-545c5e4cfdf8", "created_at": "2025-04-23T02:00:55.275208Z", "updated_at": "2026-04-10T02:00:05.270553Z", "deleted_at": null, "main_name": "APT42", "aliases": [ "APT42" ], "source_name": "MITRE:APT42", "tools": [ "NICECURL", "TAMECAT" ], "source_id": "MITRE", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434210, "ts_updated_at": 1775792040, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3657cc5c6580eefcecd4fe627e07309295e7ebba.pdf", "text": "https://archive.orkl.eu/3657cc5c6580eefcecd4fe627e07309295e7ebba.txt", "img": "https://archive.orkl.eu/3657cc5c6580eefcecd4fe627e07309295e7ebba.jpg" } }